Unterschiede zwischen den Revisionen 10 und 11
Revision 10 vom 2008-03-05 14:19:51
Größe: 2578
Kommentar:
Revision 11 vom 2008-08-17 07:57:02
Größe: 2596
Autor: anonym
Kommentar: converted to 1.6 markup
Gelöschter Text ist auf diese Art markiert. Hinzugefügter Text ist auf diese Art markiert.
Zeile 14: Zeile 14:
 * [attachment:2005-firewire-cansecwest.pdf Folien]
 * [attachment:pyfw_linux.tar.gz Demo code for Linux]
 * [[attachment:2005-firewire-cansecwest.pdf|Folien]]
 * [[attachment:pyfw_linux.tar.gz|Demo code for Linux]]
Zeile 18: Zeile 18:
Restart a running crypto system, boot our [http://ulm.ccc.de/hg/memdump modified memtest] to scan the RAM. This works, because SDRAM stays mostly valid on short power off. Restart a running crypto system, boot our [[http://ulm.ccc.de/hg/memdump|modified memtest]] to scan the RAM. This works, because SDRAM stays mostly valid on short power off.
Zeile 45: Zeile 45:
 * [http://wiki.grml.org/doku.php?id=usb install grml to usb stick] used as target system (grml-small 0.4)  * [[http://wiki.grml.org/doku.php?id=usb|install grml to usb stick]] used as target system (grml-small 0.4)
Zeile 47: Zeile 47:
 * [http://www.memtest.org/download/1.70/memtest86+-1.70.tar.gz memtest 1.70]  * [[http://www.memtest.org/download/1.70/memtest86+-1.70.tar.gz|memtest 1.70]]
Zeile 52: Zeile 52:
 * see our [http://ulm.ccc.de/hg/pxeboot modifications]  * see our [[http://ulm.ccc.de/hg/pxeboot|modifications]]
Zeile 63: Zeile 63:
 * [http://events.ccc.de/camp/2007/Fahrplan/track/Hacking/2002.en.html Chaos Communication Camp 2007]
 * [attachment:1300-Cryptokey_forensics_A.pdf Folien]
 * [http://www.hackszine.com/blog/archive/2007/08/cryptographic_key_recovery_fro.html hackszine.com]
 * [[http://events.ccc.de/camp/2007/Fahrplan/track/Hacking/2002.en.html|Chaos Communication Camp 2007]]
 * [[attachment:1300-Cryptokey_forensics_A.pdf|Folien]]
 * [[http://www.hackszine.com/blog/archive/2007/08/cryptographic_key_recovery_fro.html|hackszine.com]]

Crypto systems can be owned if you manage to get a memory dump, because the crypto key must be in RAM. Here we evaluate possibilities to get the dump and how to restore the key from the dump.

closed

FireWire - all your memory are belong to us

From http://md.hudora.de/presentations/#firewire-cansecwest

Firewire/i.Link is well known as a way for connecting video devices or external hard-disks to computers. One little known fact is that the Firewire protocol also allows to read and write physical memory on connected machines without further software support. This can be leveraged to escalate privileges or to spy on connected machines. We will present some fun software using FireWire to do things to computers which shouldn't happen.

Memtest

Restart a running crypto system, boot our modified memtest to scan the RAM. This works, because SDRAM stays mostly valid on short power off.

  • dual boot usb stick using grub
    • fdisk -l /dev/sda

Device Boot         Start         End      Blocks   Id  System
/dev/sda1               1         185       97664   83  Linux
/dev/sda2             186         937      397056   83  Linux
  • sda1/boot/device.map

(hd0) /dev/sda
(hd0,0) /dev/sda1
(hd0,1) /dev/sda2
  • cat sda1/boot/grub/menu.lst

default 0
timeout 3

title  grml-small
kernel (hd0,1)/linux26 ramdisk_size=100000 init=/etc/init lang=us usb apm=power-off vga=791 nomce BOOT_IMAGE=grml
initrd (hd0,1)/minirt26.gz

title memtest
kernel (hd0,0)/memtest.bin

gpxe

qemu -cdrom bin/gpxe.iso -serial file:serial.log
  • trigger "dns resolving" with

imgfetch http://ulm.ccc.de

key recovery


zurück zur Startseite